Closed ceejbot closed 6 years ago
This works for [markdown](links)
but plain old <a>
tags don't get munged.
A patch that adds support for <a>
html tags as well, not sure if it's the most elegant approach, but seems to work. https://gist.github.com/isaacs/16c0595f48bbaa8d44898112ff112630
Aha, I missed that case. Nice catch. Will snag patch.
Weird; what happened to the CI build? Manually canceled?
@revin That's correct. I think in that case, you've explicitly said that you want to add rel=nofollow
to markdown links, but don't want to do any sanitization of inline html. So, any inline html should be untouched (because we're not sanitizing), and thus, you're getting exactly what you asked for. Note that you'd also be allowing <a onclick=alert(/xss/)>
.
I think that cases where you're using nofollow on trusted code would be kind of unusual anyway, no?
@isaacs yeah I'll buy that. I don't think we've ever had a particularly well defined policy on whether or not we treat markdown content and HTML content as having different semantics around their processing. I'd be very interested in just leaving raw HTML alone and being only a markdown processor, although I'm like 95% sure that would break real READMEs in the wild.
Guess now we gotta figure out how to fix the CI build.
(labeling this as semver-major since the new option is defaulting to true
)
Tests passed when I ran them by hand, fwiw.
Yeah they only seem to fail on node 6, which type of problem historically in this project indicates an upstream dependency dropping support (read: using newer JS features unsupported in the older node) somewhere along the line
rel
to the allowed list of attributes in the sanitizer.